Merge pull request #102040 from njuptlzf/fix_conversion

Fix auditing failed of request: encoding failed Kubernetes-commit: 9d27400fe20867c5f811f21a2571974887cf3d1e
2021-06-05 19:58:38 -07:00 · 2021-06-05 19:58:38 -07:00 · 71dfa70b21
parent 804456452e dd5fc094cd
commit 71dfa70b21
7 changed files with 23 additions and 17 deletions
--- a/Godeps/Godeps.json
+++ b/Godeps/Godeps.json
@ -944,7 +944,7 @@
 		},
 		{
 			"ImportPath": "k8s.io/component-base",
-			"Rev": "a36b18ffecae"
+			"Rev": "1946a51be3de"
 		},
 		{
 			"ImportPath": "k8s.io/gengo",
--- a/go.mod
+++ b/go.mod
@ -41,7 +41,7 @@ require (
 	k8s.io/api v0.0.0-20210604195109-9f22d1265651
 	k8s.io/apimachinery v0.0.0-20210604114423-aec8116c445f
 	k8s.io/client-go v0.0.0-20210604195650-ded678f91ed5
-	k8s.io/component-base v0.0.0-20210604115352-a36b18ffecae
+	k8s.io/component-base v0.0.0-20210605195000-1946a51be3de
 	k8s.io/klog/v2 v2.9.0
 	k8s.io/kube-openapi v0.0.0-20210421082810-95288971da7e
 	k8s.io/utils v0.0.0-20210521133846-da695404a2bc
@ -54,5 +54,5 @@ replace (
 	k8s.io/api => k8s.io/api v0.0.0-20210604195109-9f22d1265651
 	k8s.io/apimachinery => k8s.io/apimachinery v0.0.0-20210604114423-aec8116c445f
 	k8s.io/client-go => k8s.io/client-go v0.0.0-20210604195650-ded678f91ed5
-	k8s.io/component-base => k8s.io/component-base v0.0.0-20210604115352-a36b18ffecae
+	k8s.io/component-base => k8s.io/component-base v0.0.0-20210605195000-1946a51be3de
 )
--- a/go.sum
+++ b/go.sum
@ -701,8 +701,8 @@ k8s.io/apimachinery v0.0.0-20210604114423-aec8116c445f h1:DmoZH3nTdy0sXQ7iZ6Gd3b
 k8s.io/apimachinery v0.0.0-20210604114423-aec8116c445f/go.mod h1:5zcgojGmAy5Bo3S4mgZWAt6HwoKzaSh4MV3ITvlcOVM=
 k8s.io/client-go v0.0.0-20210604195650-ded678f91ed5 h1:zb0G/VmukmYiPgkwoAJ8wn41hwO3mySwMny0C1XkTCo=
 k8s.io/client-go v0.0.0-20210604195650-ded678f91ed5/go.mod h1:kSx8A96VUSpBA4jTX1ogcPiKm8hb7r1mbnUMpk0g/1w=
-k8s.io/component-base v0.0.0-20210604115352-a36b18ffecae h1:SrR3cXX+c4s3cGT2WPAM99/fGaeB9V1iR833PMNogsg=
-k8s.io/component-base v0.0.0-20210604115352-a36b18ffecae/go.mod h1:oPR2PvsBptV/gMBmL6av4Ss+EGA7ctjVPZ+B+NEhhko=
+k8s.io/component-base v0.0.0-20210605195000-1946a51be3de h1:fXG9daybdpGcUPH1GRSzEW5Y/XnDwdGQfUYTRup1/G4=
+k8s.io/component-base v0.0.0-20210605195000-1946a51be3de/go.mod h1:crEIsgh9DV2JslpwAGBUoOyYTr2nj2UH4xFZjghQE34=
 k8s.io/gengo v0.0.0-20200413195148-3a45101e95ac/go.mod h1:ezvh/TsK7cY6rbqRK0oQQ8IAqLxYwwyPxAX1Pzy0ii0=
 k8s.io/klog/v2 v2.0.0/go.mod h1:PBfzABfn139FHAV07az/IF9Wp1bkk3vpT2XSJ76fSDE=
 k8s.io/klog/v2 v2.9.0 h1:D7HV+n1V57XeZ0m6tdRkfknthUaM06VFbWldOFh8kzM=
--- a/pkg/audit/request.go
+++ b/pkg/audit/request.go
@ -111,7 +111,7 @@ func LogImpersonatedUser(ae *auditinternal.Event, user user.Info) {

 // LogRequestObject fills in the request object into an audit event. The passed runtime.Object
 // will be converted to the given gv.
-func LogRequestObject(ae *auditinternal.Event, obj runtime.Object, gvr schema.GroupVersionResource, subresource string, s runtime.NegotiatedSerializer) {
+func LogRequestObject(ae *auditinternal.Event, obj runtime.Object, objGV schema.GroupVersion, gvr schema.GroupVersionResource, subresource string, s runtime.NegotiatedSerializer) {
 	if ae == nil || ae.Level.Less(auditinternal.LevelMetadata) {
 		return
 	}
@ -153,7 +153,7 @@ func LogRequestObject(ae *auditinternal.Event, obj runtime.Object, gvr schema.Gr

 	// TODO(audit): hook into the serializer to avoid double conversion
 	var err error
-	ae.RequestObject, err = encodeObject(obj, gvr.GroupVersion(), s)
+	ae.RequestObject, err = encodeObject(obj, objGV, s)
 	if err != nil {
 		// TODO(audit): add error slice to audit event struct
 		klog.Warningf("Auditing failed of %v request: %v", reflect.TypeOf(obj).Name(), err)
--- a/pkg/endpoints/handlers/create.go
+++ b/pkg/endpoints/handlers/create.go
@ -123,8 +123,10 @@ func createHandler(r rest.NamedCreater, scope *RequestScope, admit admission.Int
 			scope.err(err, w, req)
 			return
 		}
-		if !scope.AcceptsGroupVersion(gvk.GroupVersion()) {
-			err = errors.NewBadRequest(fmt.Sprintf("the API version in the data (%s) does not match the expected API version (%v)", gvk.GroupVersion().String(), gv.String()))
+
+		objGV := gvk.GroupVersion()
+		if !scope.AcceptsGroupVersion(objGV) {
+			err = errors.NewBadRequest(fmt.Sprintf("the API version in the data (%s) does not match the expected API version (%v)", objGV.String(), gv.String()))
 			scope.err(err, w, req)
 			return
 		}
@ -141,7 +143,7 @@ func createHandler(r rest.NamedCreater, scope *RequestScope, admit admission.Int

 		ae := request.AuditEventFrom(ctx)
 		admit = admission.WithAudit(admit, ae)
-		audit.LogRequestObject(ae, obj, scope.Resource, scope.Subresource, scope.Serializer)
+		audit.LogRequestObject(ae, obj, objGV, scope.Resource, scope.Subresource, scope.Serializer)

 		userInfo, _ := request.UserFrom(ctx)

--- a/pkg/endpoints/handlers/delete.go
+++ b/pkg/endpoints/handlers/delete.go
@ -92,7 +92,7 @@ func DeleteResource(r rest.GracefulDeleter, allowsOptions bool, scope *RequestSc
 				// For backwards compatibility, we need to allow existing clients to submit per group DeleteOptions
 				// It is also allowed to pass a body with meta.k8s.io/v1.DeleteOptions
 				defaultGVK := scope.MetaGroupVersion.WithKind("DeleteOptions")
-				obj, _, err := metainternalversionscheme.Codecs.DecoderToVersion(s.Serializer, defaultGVK.GroupVersion()).Decode(body, &defaultGVK, options)
+				obj, gvk, err := metainternalversionscheme.Codecs.DecoderToVersion(s.Serializer, defaultGVK.GroupVersion()).Decode(body, &defaultGVK, options)
 				if err != nil {
 					scope.err(err, w, req)
 					return
@ -104,7 +104,8 @@ func DeleteResource(r rest.GracefulDeleter, allowsOptions bool, scope *RequestSc
 				trace.Step("Decoded delete options")

 				ae := request.AuditEventFrom(ctx)
-				audit.LogRequestObject(ae, obj, scope.Resource, scope.Subresource, scope.Serializer)
+				objGV := gvk.GroupVersion()
+				audit.LogRequestObject(ae, obj, objGV, scope.Resource, scope.Subresource, scope.Serializer)
 				trace.Step("Recorded the audit event")
 			} else {
 				if err := metainternalversionscheme.ParameterCodec.DecodeParameters(req.URL.Query(), scope.MetaGroupVersion, options); err != nil {
@ -144,6 +145,7 @@ func DeleteResource(r rest.GracefulDeleter, allowsOptions bool, scope *RequestSc
 		// Other cases where resource is not instantly deleted are: namespace deletion
 		// and pod graceful deletion.
 		//lint:ignore SA1019 backwards compatibility
+		//nolint: staticcheck
 		if !wasDeleted && options.OrphanDependents != nil && !*options.OrphanDependents {
 			status = http.StatusAccepted
 		}
@ -238,7 +240,7 @@ func DeleteCollection(r rest.CollectionDeleter, checkBody bool, scope *RequestSc
 				// For backwards compatibility, we need to allow existing clients to submit per group DeleteOptions
 				// It is also allowed to pass a body with meta.k8s.io/v1.DeleteOptions
 				defaultGVK := scope.Kind.GroupVersion().WithKind("DeleteOptions")
-				obj, _, err := scope.Serializer.DecoderToVersion(s.Serializer, defaultGVK.GroupVersion()).Decode(body, &defaultGVK, options)
+				obj, gvk, err := scope.Serializer.DecoderToVersion(s.Serializer, defaultGVK.GroupVersion()).Decode(body, &defaultGVK, options)
 				if err != nil {
 					scope.err(err, w, req)
 					return
@ -249,7 +251,8 @@ func DeleteCollection(r rest.CollectionDeleter, checkBody bool, scope *RequestSc
 				}

 				ae := request.AuditEventFrom(ctx)
-				audit.LogRequestObject(ae, obj, scope.Resource, scope.Subresource, scope.Serializer)
+				objGV := gvk.GroupVersion()
+				audit.LogRequestObject(ae, obj, objGV, scope.Resource, scope.Subresource, scope.Serializer)
 			} else {
 				if err := metainternalversionscheme.ParameterCodec.DecodeParameters(req.URL.Query(), scope.MetaGroupVersion, options); err != nil {
 					err = errors.NewBadRequest(err.Error())
--- a/pkg/endpoints/handlers/update.go
+++ b/pkg/endpoints/handlers/update.go
@ -110,15 +110,16 @@ func UpdateResource(r rest.Updater, scope *RequestScope, admit admission.Interfa
 			scope.err(err, w, req)
 			return
 		}
-		if !scope.AcceptsGroupVersion(gvk.GroupVersion()) {
-			err = errors.NewBadRequest(fmt.Sprintf("the API version in the data (%s) does not match the expected API version (%s)", gvk.GroupVersion(), defaultGVK.GroupVersion()))
+		objGV := gvk.GroupVersion()
+		if !scope.AcceptsGroupVersion(objGV) {
+			err = errors.NewBadRequest(fmt.Sprintf("the API version in the data (%s) does not match the expected API version (%s)", objGV, defaultGVK.GroupVersion()))
 			scope.err(err, w, req)
 			return
 		}
 		trace.Step("Conversion done")

 		ae := request.AuditEventFrom(ctx)
-		audit.LogRequestObject(ae, obj, scope.Resource, scope.Subresource, scope.Serializer)
+		audit.LogRequestObject(ae, obj, objGV, scope.Resource, scope.Subresource, scope.Serializer)
 		admit = admission.WithAudit(admit, ae)

 		if err := checkName(obj, name, namespace, scope.Namer); err != nil {